Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: document and protect against unsafe use of ServeFile #14110

Closed
bradfitz opened this issue Jan 27, 2016 · 2 comments
Closed

net/http: document and protect against unsafe use of ServeFile #14110

bradfitz opened this issue Jan 27, 2016 · 2 comments
Assignees
Milestone

Comments

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Jan 27, 2016

Martin Lenord notes:

I've seen this method of handling static files crop up a couple of times:
http://stackoverflow.com/questions/25945538/go-golang-to-serve-a-specific-html-file
http://jessekallhoff.com/2013/04/14/go-web-apps-serving-static-files/

Using http.ServeFile(w, r, r.URL.Path[1:]) to serve up a directory.
...

Normally ServeMux protects against this on accident, but it's not a good defense because there are ways around it and not everybody uses ServeMux.

We should instead document louder that it's unsafe, and add some protections against it.

@bradfitz bradfitz self-assigned this Jan 27, 2016
@bradfitz bradfitz added this to the Go1.6 milestone Jan 27, 2016
@gopherbot

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jan 27, 2016

CL https://golang.org/cl/18939 mentions this issue.

@gopherbot gopherbot closed this in 9b67a5d Jan 27, 2016
@nhooyr

This comment has been minimized.

Copy link
Contributor

@nhooyr nhooyr commented Jul 11, 2016

what ways are there around ServeMux's defence on this?

@golang golang locked and limited conversation to collaborators Jul 11, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.